怎样才能顺利上网

[xwp911]

在以下条件下，怎样开启80端口才能顺利上网
Chain INPUT (policy DROP)
target prot opt source destination

Chain FORWARD (policy DROP)
target prot opt source destination

Chain OUTPUT (policy DROP)
target prot opt source destination
以下命令，不行啊
sudo iptables -A INPUT -p tcp --dport 80 -j ACCEPT
sudo iptables -A OUTPUT -p tcp --sport 80 -j ACCEPT

[xwp911]

#清空所有表中的规则
/sbin/iptables -F
#
#删除自定义链
/sbin/iptables -X
#
#设置默认策略
/sbin/iptables -P INPUT DROP
/sbin/iptables -P OUTPUT DROP
/sbin/iptables -P FORWARD DROP



/sbin/iptables -A INPUT -p tcp --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT
/sbin/iptables -A OUTPUT -p tcp --sport 80 -m state --state NEW,ESTABLISHED -j ACCEPT

以上脚本为何不能上网浏览呢

[poloshiao]

以上脚本为何不能上网浏览呢
先
把下面指令 複製 貼進終端機 執行
0. uname -r
1. sudo lspci -knn
2. sudo lshw -numeric -class network
3. sudo ifconfig -a
4. sudo route -nv
5. sudo dhclient -v
6. sudo cat /etc/network/interfaces
7. sudo ls -al /etc/resolv.conf
8. sudo cat /run/resolvconf/resolv.conf
把結果直接 選取/複製/貼上
http://paste.ubuntu.com
再把回應網址貼上來
不必擷圖

[xwp911]

xwp@xwp-VirtualBox ~ $ uname -r
3.13.0-24-generic
xwp@xwp-VirtualBox ~ $ sudo lspci -knn
00:00.0 Host bridge [0600]: Intel Corporation 440FX - 82441FX PMC [Natoma] [8086:1237] (rev 02)
00:01.0 ISA bridge [0601]: Intel Corporation 82371SB PIIX3 ISA [Natoma/Triton II] [8086:7000]
00:01.1 IDE interface [0101]: Intel Corporation 82371AB/EB/MB PIIX4 IDE [8086:7111] (rev 01)
Kernel driver in use: ata_piix
00:02.0 VGA compatible controller [0300]: InnoTek Systemberatung GmbH VirtualBox Graphics Adapter [80ee:beef]
00:03.0 Ethernet controller [0200]: Intel Corporation 82540EM Gigabit Ethernet Controller [8086:100e] (rev 02)
Subsystem: Intel Corporation PRO/1000 MT Desktop Adapter [8086:001e]
Kernel driver in use: e1000
00:04.0 System peripheral [0880]: InnoTek Systemberatung GmbH VirtualBox Guest Service [80ee:cafe]
Kernel driver in use: vboxguest
00:05.0 Multimedia audio controller [0401]: Intel Corporation 82801AA AC'97 Audio Controller [8086:2415] (rev 01)
Subsystem: Intel Corporation Device [8086:0000]
Kernel driver in use: snd_intel8x0
00:06.0 USB controller [0c03]: Apple Inc. KeyLargo/Intrepid USB [106b:003f]
Kernel driver in use: ohci-pci
00:07.0 Bridge [0680]: Intel Corporation 82371AB/EB/MB PIIX4 ACPI [8086:7113] (rev 08)
00:0b.0 USB controller [0c03]: Intel Corporation 82801FB/FBM/FR/FW/FRW (ICH6 Family) USB2 EHCI Controller [8086:265c]
Kernel driver in use: ehci-pci
00:0d.0 SATA controller [0106]: Intel Corporation 82801HM/HEM (ICH8M/ICH8M-E) SATA Controller [AHCI mode] [8086:2829] (rev 02)
Kernel driver in use: ahci
xwp@xwp-VirtualBox ~ $ sudo lshw -numeric -class network
*-network
description: Ethernet interface
product: 82540EM Gigabit Ethernet Controller [8086:100E]
vendor: Intel Corporation [8086]
physical id: 3
bus info: pci@0000:00:03.0
logical name: eth0
version: 02
serial: 08:00:27:0b:e4:a7
size: 1Gbit/s
capacity: 1Gbit/s
width: 32 bits
clock: 66MHz
capabilities: pm pcix bus_master cap_list ethernet physical tp 10bt 10bt-fd 100bt 100bt-fd 1000bt-fd autonegotiation
configuration: autonegotiation=on broadcast=yes driver=e1000 driverversion=7.3.21-k8-NAPI duplex=full ip=10.0.2.15 latency=64 link=yes mingnt=255 multicast=yes port=twisted pair speed=1Gbit/s
resources: irq:10 memory:f0000000-f001ffff ioport:d010(size=8)
xwp@xwp-VirtualBox ~ $ sudo ifconfig -a
eth0 Link encap:以太网 硬件地址 08:00:27:0b:e4:a7
inet 地址:10.0.2.15 广播:10.0.2.255 掩码:255.255.255.0
inet6 地址: fe80::a00:27ff:fe0b:e4a7/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 跃点数:1
接收数据包:2481 错误:0 丢弃:0 过载:0 帧数:0
发送数据包:1681 错误:0 丢弃:0 过载:0 载波:0
碰撞:0 发送队列长度:1000
接收字节:2334369 (2.3 MB) 发送字节:239227 (239.2 KB)

lo Link encap:本地环回
inet 地址:127.0.0.1 掩码:255.0.0.0
inet6 地址: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:65536 跃点数:1
接收数据包:273 错误:0 丢弃:0 过载:0 帧数:0
发送数据包:273 错误:0 丢弃:0 过载:0 载波:0
碰撞:0 发送队列长度:0
接收字节:23336 (23.3 KB) 发送字节:23336 (23.3 KB)

xwp@xwp-VirtualBox ~ $ sudo route -nv
内核 IP 路由表
目标 网关 子网掩码 标志 跃点 引用 使用 接口
0.0.0.0 10.0.2.2 0.0.0.0 UG 0 0 0 eth0
10.0.2.0 0.0.0.0 255.255.255.0 U 1 0 0 eth0
xwp@xwp-VirtualBox ~ $ sudo dhclient -v
Internet Systems Consortium DHCP Client 4.2.4
Copyright 2004-2012 Internet Systems Consortium.
All rights reserved.
For info, please visit https://www.isc.org/software/dhcp/

Listening on LPF/eth0/08:00:27:0b:e4:a7
Sending on LPF/eth0/08:00:27:0b:e4:a7
Sending on Socket/fallback
DHCPDISCOVER on eth0 to 255.255.255.255 port 67 interval 3 (xid=0x6b635118)
DHCPREQUEST of 10.0.2.15 on eth0 to 255.255.255.255 port 67 (xid=0x6b635118)
DHCPOFFER of 10.0.2.15 from 10.0.2.2
DHCPACK of 10.0.2.15 from 10.0.2.2
RTNETLINK answers: File exists
bound to 10.0.2.15 -- renewal in 42761 seconds.
xwp@xwp-VirtualBox ~ $ sudo cat /etc/network/interfaces
# interfaces(5) file used by ifup(8) and ifdown(8)
auto lo
iface lo inet loopback
xwp@xwp-VirtualBox ~ $ sudo ls -al /etc/resolv.conf
lrwxrwxrwx 1 root root 29 8月 24 2014 /etc/resolv.conf -> ../run/resolvconf/resolv.conf
xwp@xwp-VirtualBox ~ $ sudo cat /run/resolvconf/resolv.conf
# Dynamic resolv.conf(5) file for glibc resolver(3) generated by resolvconf(8)
# DO NOT EDIT THIS FILE BY HAND -- YOUR CHANGES WILL BE OVERWRITTEN
nameserver 10.0.2.3
nameserver 127.0.1.1
search home

[poloshiao]

sudo cat /run/resolvconf/resolv.conf
# Dynamic resolv.conf(5) file for glibc resolver(3) generated by resolvconf(8)
# DO NOT EDIT THIS FILE BY HAND -- YOUR CHANGES WILL BE OVERWRITTEN
nameserver 10.0.2.3
nameserver 127.0.1.1
search home

1. /run/resolvconf/resolv.conf
改為
nameserver 127.0.1.1
nameserver 10.0.2.3
nameserver 8.8.8.8
search home

2. 試試 能否上網

3. 這是 一次性有效
重開機 就恢復原來

3. 結果如何 請再貼文

[xwp911]

还是不行。
请问，在正常情况下，我的脚本是否应该没有问题？是否应该可以上网？

[poloshiao]

#设置默认策略
/sbin/iptables -P INPUT DROP
/sbin/iptables -P OUTPUT DROP
/sbin/iptables -P FORWARD DROP

改為
sudo iptables -P INPUT DROP
sudo iptables -P FORWARD ACCEPT
sudo iptables -P OUTPUT ACCEPT
試試

[xwp911]

#设置默认策略

改為
sudo iptables -P INPUT DROP
sudo iptables -P FORWARD ACCEPT
sudo iptables -P OUTPUT ACCEPT
試試

还是不行啊
唉！要疯了

sudo iptables -L -n
Chain INPUT (policy DROP)
target prot opt source destination
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 state ESTABLISHED
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:443 state ESTABLISHED

Chain FORWARD (policy DROP)
target prot opt source destination

Chain OUTPUT (policy DROP)
target prot opt source destination
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp spt:80 state NEW,ESTABLISHED
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp spt:443 state NEW,ESTABLISHED

怎么就不行呢？？

[xwp911]

默认DROP策略下，开放ssh端口就没有问题啊
iptable A INPUT -p tcp dport 22 -j ACCEPT
iptable A OUTPUT -p tcp sport 22 -j ACCEPT

[xwp911]

sudo netstat -pan |grep 80
........
tcp 0 0 192.168.3.7:43052 117.79.92.146:80 ESTABLISHED 11592/firefox
tcp 0 0 192.168.3.7:39647 106.120.181.50:80 ESTABLISHED 11592/firefox
tcp 0 0 192.168.3.7:39649 106.120.181.50:80 ESTABLISHED 11592/firefox
tcp 0 0 192.168.3.7:57130 117.79.93.221:80 ESTABLISHED 11592/firefox
.......
怎么用的不是８０端口啊

[poloshiao]

怎样开启80端口才能顺利上网

能否談談
能否上網 跟 80 端口
有何關聯 ?

[xwp911]

不好意思，我是小白。
我只是想知道，在策略都是DROP的情况下，怎样设置iptables才能顺利上网。

[poloshiao]

在策略都是DROP的情况下，怎样设置iptables才能顺利上网。

為何需要防火牆 你需要看看
http://zh.wikipedia.org/wiki/%E9%98%B2% ... B%E5%A2%99
http://en.wikipedia.org/wiki/Firewall_%28computing%29

對於 iptables 參閱
https://help.ubuntu.com/community/IptablesHowTo

ufw 是 iptables 的前端程式 只管 income
https://help.ubuntu.com/community/UFW

[lainme]

不太明白你为何需要这么做，清空防火墙规则用ufw不行么?只要启用就可以了。连外面网的端口是随机的，只有提供给别人网络服务时才是固定端口80

[xwp911]

iptables还是很高深的，谢谢大家。
开始使用gufw了，ufw还是比较好上手的。
iptables今后慢慢学吧。